redline | 2ac355251d6b08c439b4b4b2220ff456ec6a61bc7bf523e5e252cc9a402f0320

General

Target

2ac355251d6b08c439b4b4b2220ff456ec6a61bc7bf523e5e252cc9a402f0320.exe
Size

584KB
MD5

ff6acdd647369ca49e058a57d8f142a5
SHA1

5da2198f47f47e61e41ea6bd12c220bf65be98be
SHA256

2ac355251d6b08c439b4b4b2220ff456ec6a61bc7bf523e5e252cc9a402f0320
SHA512

33ad93e01d7dc5520271185f0cf5ecb42c2d6767ff0af58aa95323dfd5b2bb36089a3ffbbf8d9d2f6490fc922137257e9f0b2a8f34c43ced053c7855b65c9cf3
SSDEEP

12288:6MrEy90QBGhEHDQOxnONoU21E9HYs/kuSLYxgRyNzP:Ky1BQtuqt2AdS8xgMh

Score

10^/10

redline diza discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k2706550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k2706550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k2706550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k2706550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k2706550.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3028	y2587839.exe
4048	y7270517.exe
4228	k2706550.exe
4212	l8410751.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k2706550.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7270517.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y7270517.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2ac355251d6b08c439b4b4b2220ff456ec6a61bc7bf523e5e252cc9a402f0320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2ac355251d6b08c439b4b4b2220ff456ec6a61bc7bf523e5e252cc9a402f0320.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y2587839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2587839.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4228	k2706550.exe
4228	k2706550.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe
4212	l8410751.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	k2706550.exe
Token: SeDebugPrivilege	4212	l8410751.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 3028	2532	2ac355251d6b08c439b4b4b2220ff456ec6a61bc7bf523e5e252cc9a402f0320.exe	66
PID 2532 wrote to memory of 3028	2532	2ac355251d6b08c439b4b4b2220ff456ec6a61bc7bf523e5e252cc9a402f0320.exe	66
PID 2532 wrote to memory of 3028	2532	2ac355251d6b08c439b4b4b2220ff456ec6a61bc7bf523e5e252cc9a402f0320.exe	66
PID 3028 wrote to memory of 4048	3028	y2587839.exe	67
PID 3028 wrote to memory of 4048	3028	y2587839.exe	67
PID 3028 wrote to memory of 4048	3028	y2587839.exe	67
PID 4048 wrote to memory of 4228	4048	y7270517.exe	68
PID 4048 wrote to memory of 4228	4048	y7270517.exe	68
PID 4048 wrote to memory of 4212	4048	y7270517.exe	69
PID 4048 wrote to memory of 4212	4048	y7270517.exe	69
PID 4048 wrote to memory of 4212	4048	y7270517.exe	69

C:\Users\Admin\AppData\Local\Temp\2ac355251d6b08c439b4b4b2220ff456ec6a61bc7bf523e5e252cc9a402f0320.exe
"C:\Users\Admin\AppData\Local\Temp\2ac355251d6b08c439b4b4b2220ff456ec6a61bc7bf523e5e252cc9a402f0320.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2587839.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2587839.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7270517.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7270517.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2706550.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2706550.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8410751.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8410751.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2587839.exe

Filesize
377KB

MD5
c4332097c8add2d268a36f0f081f95ae

SHA1
bd708846ec8f6bfdd6e26f3e1d06ada9374a2ede

SHA256
a4ea314e3f8f3f2ec164478834c00abdbab146c59a7ca391925d1b286083a511

SHA512
db2de2d97abecf772bac452e4c2c2e2597f65b2efcd6a2c2de7458a2bcb119f9f007c6940a65e3d2a9529dcd89953a07641243040101300ce154fe2c4923d3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2587839.exe

Filesize
377KB

MD5
c4332097c8add2d268a36f0f081f95ae

SHA1
bd708846ec8f6bfdd6e26f3e1d06ada9374a2ede

SHA256
a4ea314e3f8f3f2ec164478834c00abdbab146c59a7ca391925d1b286083a511

SHA512
db2de2d97abecf772bac452e4c2c2e2597f65b2efcd6a2c2de7458a2bcb119f9f007c6940a65e3d2a9529dcd89953a07641243040101300ce154fe2c4923d3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7270517.exe

Filesize
206KB

MD5
2f893087c2dbe4a65fffca0d7c5a16b8

SHA1
ce4757ac078d7239c2dca647af4fd9de4be0c07a

SHA256
cc378a62485ed8e81cab4f9ce7d146938f0ec57d76d7b913ab1a0df07feebccf

SHA512
eabe30bb27ac9a2b1df9f4a5f62ce23353d88a13be42edecb6dd3029d2fdc498709c27f3c7f1f31aff27d20d57502682ed9a4735af6d80109d949cf741cfbf3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7270517.exe

Filesize
206KB

MD5
2f893087c2dbe4a65fffca0d7c5a16b8

SHA1
ce4757ac078d7239c2dca647af4fd9de4be0c07a

SHA256
cc378a62485ed8e81cab4f9ce7d146938f0ec57d76d7b913ab1a0df07feebccf

SHA512
eabe30bb27ac9a2b1df9f4a5f62ce23353d88a13be42edecb6dd3029d2fdc498709c27f3c7f1f31aff27d20d57502682ed9a4735af6d80109d949cf741cfbf3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2706550.exe

Filesize
12KB

MD5
b20f8d8ed9871d6bdc9521778966edda

SHA1
d67137a8019d52c2b2ad602a3794520723a2f3cf

SHA256
5b41c00e640b6fd13a0b11698443188ed640c24d7d0ced938d8578759e2e2ab0

SHA512
709545a06fb2fb46658147c397244a1e80baa08257a0547b29136c40175394d7974605ead8917d8168b76e1f18d050067457dc8240dfd535780a2811cc228b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2706550.exe

Filesize
12KB

MD5
b20f8d8ed9871d6bdc9521778966edda

SHA1
d67137a8019d52c2b2ad602a3794520723a2f3cf

SHA256
5b41c00e640b6fd13a0b11698443188ed640c24d7d0ced938d8578759e2e2ab0

SHA512
709545a06fb2fb46658147c397244a1e80baa08257a0547b29136c40175394d7974605ead8917d8168b76e1f18d050067457dc8240dfd535780a2811cc228b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8410751.exe

Filesize
172KB

MD5
b9d191536b55737aff4057d01387737c

SHA1
198066ba38ff935af6c64f6788b0759058eae1ce

SHA256
d04e592fa2ff366d9f47270d6566913a8a5d358723283b728c79f095be0ef890

SHA512
3691dc0b44ebc5d6d634b9889a9378e2751275dbe02ce400e1984cd75f29337f7b67edaa25df7d0aa77db0036fe4236e3c7e6f9433596f9981232b8c21ed09fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8410751.exe

Filesize
172KB

MD5
b9d191536b55737aff4057d01387737c

SHA1
198066ba38ff935af6c64f6788b0759058eae1ce

SHA256
d04e592fa2ff366d9f47270d6566913a8a5d358723283b728c79f095be0ef890

SHA512
3691dc0b44ebc5d6d634b9889a9378e2751275dbe02ce400e1984cd75f29337f7b67edaa25df7d0aa77db0036fe4236e3c7e6f9433596f9981232b8c21ed09fb

Download Submit
memory/4212-156-0x000000000A3C0000-0x000000000A452000-memory.dmp

Filesize
584KB

Download
memory/4212-155-0x000000000A2A0000-0x000000000A316000-memory.dmp

Filesize
472KB

Download
memory/4212-148-0x0000000002360000-0x0000000002366000-memory.dmp

Filesize
24KB

Download
memory/4212-149-0x000000000A490000-0x000000000AA96000-memory.dmp

Filesize
6.0MB

Download
memory/4212-150-0x0000000009FF0000-0x000000000A0FA000-memory.dmp

Filesize
1.0MB

Download
memory/4212-151-0x0000000009F20000-0x0000000009F32000-memory.dmp

Filesize
72KB

Download
memory/4212-152-0x0000000009F80000-0x0000000009FBE000-memory.dmp

Filesize
248KB

Download
memory/4212-153-0x000000000A100000-0x000000000A14B000-memory.dmp

Filesize
300KB

Download
memory/4212-154-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/4212-147-0x00000000001F0000-0x0000000000220000-memory.dmp

Filesize
192KB

Download
memory/4212-162-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/4212-157-0x000000000B0A0000-0x000000000B59E000-memory.dmp

Filesize
5.0MB

Download
memory/4212-158-0x000000000ABA0000-0x000000000AC06000-memory.dmp

Filesize
408KB

Download
memory/4212-159-0x000000000AFD0000-0x000000000B020000-memory.dmp

Filesize
320KB

Download
memory/4212-160-0x000000000B770000-0x000000000B932000-memory.dmp

Filesize
1.8MB

Download
memory/4212-161-0x000000000BE70000-0x000000000C39C000-memory.dmp

Filesize
5.2MB

Download
memory/4228-142-0x0000000000D60000-0x0000000000D6A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads